Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Windows PowerShell Increasingly Abused by Attackers

The Windows PowerShell scripting tool is being increasingly used by malicious actors not only for data theft, but also for ransomware attacks, researchers have warned.

The Windows PowerShell scripting tool is being increasingly used by malicious actors not only for data theft, but also for ransomware attacks, researchers have warned.

Windows PowerShell is a task-based command line shell and scripting language that enables IT teams to control and automate the administration of the operating system and applications. Built on the .NET Framework, the tool is available for all current versions of Windows, and it has been included by default starting with Windows 7.

Experts believe cybercriminals are increasingly relying on PowerShell because this is not a common technique and IT administrators who are usually on the lookout for malicious binaries might overlook threats that abuse the scripting tool.

In late March 2014, Trend Micro came across a new malware family, which they dubbed CRIGENT (Power Worm). Distributed as Word or Excel documents, CRIGENT relies on PowerShell to retrieve system information from the infected device and infect other Word and Excel files stored on the affected computer.

In May, Trend Micro researchers identified a new attack leveraging PowerShell. The threat had been distributed with the aid of emails purporting to come from Duo Wei Times, a US-based Chinese newspaper.

In this case, PowerShell has been used to download files and bypass execution policies. First, potential victims are served a shortcut (.lnk) file, detected by Trend Micro as LNK_PRESHIN.JTT, containing PowerShell commands in its properties. When executed, LNK_PRESHIN.JTT downloads another PowerShell scripting file, TROJ_PRESHIN.JTT, which in turn downloads and executed the final payload, BKDR_PRESHIN.JTT.

In a blog post published on Sunday, Trend Micro detailed a piece of ransomware, TROJ_POSHCODER.A, which uses PowerShell to encrypt files. POSHCODER, which appears to target Internet users in the United States, uses AES to encrypt the files, and RSA 4096 bit encryption to exchange the AES key.

This is not the first time experts have indentified a piece of ransomware using PowerShell. Back in early March, researchers from Sophos warned of Russian ransomware that used Windows PowerShell to perform file encryption with “Rijndael symmetric key encryption.” At the time, experts discovered that the encryption keys could be easily obtained with the aid of PowerShell.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Cloud networking firm Aviatrix has named John Qian as CISO.

CrowdStrike has appointed Kartik Shahani as vice president of India and SAARC.

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

More People On The Move

Expert Insights